How Can I Mitigate Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks?

LiteSpeed Web Server provides several features aimed at reducing and even eliminating the impact of HTTP-level DoS and DDoS attacks. The following configuration settings will help mitigate such attacks.

Per Client Throttling

The Configuration > Server > Security configurations > Per Client Throttling provides several configuration settings to limit the bandwidth and connection rate per remote IP address.

Request Throttling

Separate controls are available for throttling requests for static files and dynamic content.

Bandwidth Throttling

The server allows setting separate bandwidth limits for inbound and outbound traffic.

  • Bandwidth numbers will be rounded up in 4KB increments.
  • Set to “0” to disable throttling.
  • The Outbound Bandwidth limit allows serving more unique clients and prevents limited network bandwidth from getting used up by a small number of clients with fast network connections.

Connection Throttling

These settings control concurrent connections coming from one client (IP address) and guard against DoS attacks.

  • Connection Hard Limit controls how many concurrent connections are allowed from one IP address. If an IP reaches the hard connection limit, the web server will immediately close newly accepted connections from that IP address, and move on to pending connections from different IP addresses. As almost all web browsers support keep-alive/persistent connections (multiple requests pipelined through one connection), the number of connections required in normal browsing is very small. Typically, one connection is enough, but some web browsers try to establish additional connections to speed up downloading. Allowing 4 to 10 connections from one IP is recommended. Less than that will probably affect normal web services.
  • Use Connection Soft Limit, Grace Period, and Banned Period to spot and mitigate abusers: An IP address that stays over the soft limit for the length of the grace period will be banned for the length of time set in Banned Period. This is a good way to identify IPs that should be added to the Denied List. Note: The number of connections can temporarily exceed the soft limit during the grace period, as long as it is under the hard limit. After the grace period, if it is still above the soft limit, then no more connections will be allowed from that IP for duration of the banned period.

Default Settings:

Updated Settings:

Static Requests/second	40
Dynamic Requests/second	2
Outbound Bandwidth (bytes/sec)	0
Inbound Bandwidth (bytes/sec)	0
Connection Soft Limit	15
Connection Hard Limit	20
Block Bad Request	Yes
Grace Period (sec)	15
Banned Period (sec)	60

Explanation: An IP that has established more than 20 connections with the web server, or has established over 15 connections of over 15 seconds (the grace period), is treated as a DoS-attacker. The server will ban the IP for 60 seconds and record a log entry in the error log file. To exclude any IP from the client throttle limits (and bypass DDoS detection), add the IP with a trailing 'T' (aka trusted) in Allowed List (WebAdmin Console > Server > Security > Access Control).

The hard limit can be adjusted based on an attacker's strategy. If the botnet is not very aggressive, you will need to lower the limit to just below their max connection per IP, to make sure it won't affect a regular user. If they only make very few connections per IP, do not use hard limit to detect them.

The blocked IPs can be found in the real-time-stats report.

Max Request/Response Settings

Under Configuration > Server > Tuning:

  • Try to set Max Request URL Length, Max Request Header Size, Max Request Body Size, Max Dynamic Response Header Size, and Max Dynamic Response Body Size to values that go just above what you need to run your site. Getting these settings trimmed down will help identify attackers and reduce the amount of memory used when you do get attacked.

  • Set Connection Timeout to around 30 seconds and Keep-Alive Timeout to around 15 seconds or less. This will help close dead connections as soon as possible and make connections available to other clients.

Increase Max Connection Settings

Default: Change to: You should adjust Max Connections and Max SSL Connections to 20K/10K or even higher as long as the server has enough free memory. The purpose of the change is to increase the capacity, not to limit yourself under DoS attack.

The number of connection on port 80 doesn't matter. As long as the service is up, you've won!

Block IPs

If you know an attacker's IP, You can block it. Under Configuration > Server > Security:

  • Block IPs that abuse your web server by listing them in the Denied List in the Access Control table.

Hit the Same URL

If your server is flooded by hundreds of requests from different IPs but to the same URL, you can create a context (Configuration > Virtual Hosts > View/Edit > Context > Add > Type = Static) to block access to that URL. Set Accessible to No and the context URI to match or include the URL being attacked. For example, if the server is pounded with requests for /foo/bar.html, then adding a context with Accessible set to No and the URI set to /foo/bar.html will block all of those requests. You can also set the context URI to /foo/ to block requests to all URLs that start with /foo/.

Additional Help

If you need assistance configuring your site to mitigate attacks, check out LiteSpeed's Advanced Anti-DDoS Setup Service.

To order LiteSpeed Advanced Anti-DDos Setup Service, please check here

 
litespeed_wiki/config/mitigating-ddos-attacks.txt · Last modified: 2017/05/10 20:54 by Ron Saad